October 5, 2022

Fortify Security Team
Oct 5, 2022

Title: OnionPoison: malicious Tor Browser installer served through a popular Chinese YouTube channel
Date Published: October 5, 2022


Excerpt: “Kaspersky researchers discovered that a trojanized version of a Windows installer for the Tor Browser has been distributed through a popular Chinese-language YouTube channel. The campaign, named OnionPoison, targeted users located in China, where the Tor Browser website is blocked. Users in China often attempt to download the Tor browser from third-party websites. In the OnionPoison campaign, threat actors shared a link to a malicious Tor installer posting it on a popular Chinese-language YouTube channel providing info on the anonymity on the internet. The channel has more than 180,000 subscribers and according to Kaspersky the video with the malicious link had more than 64,000 views at the time of the discovery. The video was posted on January 2022, and according to Kaspersky’s telemetry, the first victims were compromised in March 2022. The malicious version of the installer installs a malicious Tor Browser that is configured to expose user data, including the browsing history and data entered into website forms. The experts also discovered that the libraries bundled with the malicious Tor Browser is infected with spyware. “More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.” reads Kaspersky’s analysis. “We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.” The description of the video includes two links, one to the official Tor Browser website, while the other points to the malicious Tor Browser installer hosted on a Chinese cloud sharing service.”

Title: Another Telco Breach Rocks Australia
Date Published: October 4, 2022


Excerpt: “Australian telecommunications provider Telstra said Tuesday it suffered a “minimal risk” data breach just weeks after rival Optus underwent a major cybersecurity incident.Telstra, Australia’s largest network provider, attributed the breach to the provider of a now-obsolete employee rewards program. “There has been no breach of Telstra’s systems. And no customer account data was involved,” the company says. A hacker going by the handle of PwnSec posted Telstra information to the same online forum where someone last week published two samples of data taken from Optus (see: Optus Under $1 Million Extortion Threat in Data Breach). PwnSec attributes the stolen data to myrewards, a website that connects brands with shoppers. Appearing in the publicly-viewable portions of the dataset are emails that correspond to the web domain of National Australia Bank, one of that country’s “Big Four” lenders. The bank did not respond to an inquiry from Information Security Media Group.”

Title: New Android malware ‘RatMilad’ can steal your data, record audio
Date Published: October 5, 2022


Excerpt: “A new Android spyware named ‘RatMilad’ was discovered targeting mobile devices in the Middle East, used to spy on victims and steal data. The RatMilad spyware was discovered by mobile security firm Zimperium who warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victim’s conversations. “Similar to other mobile spyware we have seen, the data stolen from these devices could be used to access private corporate systems, blackmail a victim, and more,” warned a new report by Zimperium Labs shared with BleepingComputer before publication. “The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices”. The spyware is distributed through a fake virtual number generator used for activating social media accounts called “NumRent.” When installed, the app requests risky permissions and then abuses them to sideload the malicious RatMilad payload.The main distribution channel for the fake app is Telegram, as NumRent, or other trojans carrying RatMilad, aren’t available on the Google Play Store or third-party stores. The RatMilad threat actors have also created a dedicated website to promote the mobile remote access trojan (RAT) to make the app appear more convincing. This website is promoted through URLs shared on Telegram or other social media and communication platforms.”

Title: Ransomware: This is how half of attacks begin, and this is how you can stop them
Date Published: October 5, 2022


Excerpt: “Over half of ransomware attacks now begin with criminals exploiting vulnerabilities in remote and internet-facing systems as hackers look to take advantage of unpatched cybersecurity issues. According to analysis of ransomware incidents during the past year by researchers at security company Secureworks, 52% of attacks started with malicious hackers exploiting remote services. Vulnerabilities in internet-facing applications have become the most common attack vector for ransomware operations. Often, these internet-facing applications are standard across enterprise environments around the world, making them a very tempting target for malicious hackers. These applications and services could be internet-facing because organizations need them to enable employees to work remotely – or organizations might not even be aware that these applications are exposed to the internet at all.”

Title: Qakbot: Analysing a Modern-Day Banking Trojan
Date Published: October 5, 2022


Excerpt: “In cybersecurity terms, the Trojan horse is nothing new. While the name derives from Greek mythology – the story of a wooden horse said to have helped the Greeks enter Troy and win the Trojan war – of course, it has a very different connotation in the digital sphere. Just as the Trojan horse appeared to be a legitimate gift hiding an inner threat, a Trojan virus looks legitimate but hides inner malware, typically as an attachment in an email or downloadable file. Among the most common is the banking Trojan, with Qakbot a prime example. Also known as QBot or Pinkslipbot, it’s been around for 15 years, having been found in the wild in 2007. Continually developed and evolved by threat actors, Qakbot continues to wreak havoc on organizations in many ways. While it’s mainly used to steal banking credentials, it has also been deployed to spy on financial operations and install ransomware.”

Title: A flaw in the Packagist PHP repository could have allowed supply chain attacks
Date Published: October 4, 2022


Excerpt: “Experts disclosed a flaw in the PHP software package repository Packagist that could have been exploited to carry out supply chain attacks. SonarSource Researchers disclosed details about a now-fixed vulnerability (CVE-2022-24828) in PHP software package repository Packagist, that could have been exploited to carry out supply chain attacks. The issue was addressed within hours by the maintainers of the impacted repository. “Sonar discovered and responsibly disclosed a critical vulnerability in Packagist, a central component of the PHP supply chain, to help secure developer tools.” reads the post published by SonarSource. “This vulnerability allows gaining control of Packagist. It is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects. Virtually all organizations running PHP code are using Composer, which serves 2 billion software packages every month. More than a hundred million of these requests could have been hijacked to distribute malicious dependencies and compromise millions of servers.” The experts pointed out that an attacker can have triggered the high-severity flaw to take control of the server distributing information about existing PHP software packages, and potentially to compromise every organization that uses them.”

Title: Ransomware Group Bypasses “Enormous” Range of EDR Tools
Date Published: October 5, 2022


Excerpt: “A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools. BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos. The UK cybersecurity vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys. This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools. The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider.”

Title: Microsoft Updates Mitigation for Exchange Server Zero-Days
Date Published: October 4, 2022


Excerpt: “Researchers had discovered that Microsoft’s original mitigation steps for the so-called “ProxyNotShell” flaws was easily bypassed. Microsoft today updated its mitigation measures for two recently disclosed and actively exploited zero-day vulnerabilities in its Exchange Server technology after researchers found its initial guidance could be easily bypassed.,Microsoft’s original mitigation for the two vulnerabilities — CVE-2022-41040 and CVE-2022-41082 — was to apply a blocking rule to a specific URL path using the URL Rewrite Module on IIS Server. According to the company, adding the string “.*autodiscover\.json.*\@.*Powershell.*” would help block known attack patterns against the vulnerabilities. However, security researchers — including Vietnam-based security researcher Jang, Kevin Beaumont, and others — had noted that attackers can easily bypass Microsoft-recommended mitigation to exploit the vulnerabilities. “The ‘@’ in the Microsoft-recommended “.*autodiscover\.json.*\@.*Powershell.*” URL block mitigations for CVE-2022-41040 [and] CVE-2022-41082 seems unnecessarily precise, and therefore insufficient,” security researcher Will Dormann said in a tweet. “Probably try “.*autodiscover\.json.*Powershell.*” instead,” he wrote. The CERT Coordination Center at Carnegie Mellon University appeared to echo the recommendation in its note about the vulnerabilities. “The recommended block pattern is “.*autodiscover\.json.*Powershell.* (excluding the @ symbol) as a regular expression to prevent known variants of the #ProxyNotShell attacks,” CERT said.”

Title: Hackers stole data from US defense org using Impacket, CovalentStealer
Date Published: October 4, 2022


Excerpt: “The U.S. Government today released an alert about state-backed hackers using a custom CovalentStealer malware and the Impacket framework to steal sensitive data from a U.S. organization in the Defense Industrial Base (DIB) sector. The compromise lasted for about ten months and it is likely that multiple advanced persistent threat (APT) groups likely compromised the organization, some of them gaining initial access through the victim’s Microsoft Exchange Server in January last year. Entities in the Defense Industrial Base Sector provide products and services that enable support and deployment of military operations.
Entities in the Defense Industrial Base Sector provide products and services that enable support and deployment of military operations.”

Title: What to Know about APIs, the “On-Ramps to the Digital World”
Date Published: October 4, 2022


Excerpt: “An application programming interface, or API, is a defined process that allows data to be shared between applications or programs. Each API consists of a set of rules that dictates how communication occurs between a client and a server or external program. The required request format, the authentication process, and the encryption of data all have set guidelines so that the API knows what information to share and when and how to share it. Examples of APIs include universal log-in interfaces, when a website allows users to log in using their credentials from a site like Google or Facebook rather than creating a new set of log-in credentials for every single website, and third-party payment processes, when a payment is processed using a third-party application such as PayPal. They allow data to be gathered from an external server or program in order to make the process of logging into an account or submitting a payment online easier.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...